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Referennp + ^ Append i v 

» - 1 * iS to ^ Paction. 

Th, copyright owner „„ objection to th. f.c.i.u. 
reproduction by any one of „. disclosur ., a l i' it 

111;,: er " 1SB au 

10 g ^g^ad_of_t he Invention 

The internet, „ nich starW , n thg 
vast computer network consistina of 

that scan t-h« C ° nS1Stln 9 «>f many smaller networks 

nidc span the entire qlobe Tho t„+. . 

internet, known as "host-Q" a n„ ,,. 

..j.^. nosts ' al low public access to 

y vernment to many commercial 

organizations. 

» on an internet host for Z ing ^LmJ^ 
contained within that host. such f es \ " 
stored on magnetic storage ^^"l T'T' 
fxxed disks, local to the host. A Z e r n , * " 

distribute information «- Internet server may 

30 fil intonation to any computer that requests th* 

J 0 files on a hnqt rp K „ ^-^uests the 

host. The computer making such a request i* 
known as the "ciienm . u • request is 

client , whlch may be ap Internet _ connected 
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workstation, bulletin board syste, or home personal 
computer (PC) . 

TCP/IP (Transmission Control Protocol/Internet 
Protocol) is one networking protocol that permits full use 
of the internet. All computers on a TCP/IP network need 
, ID . COdeS - -ch computer or host on the 

: t In ; lde r ified by * ^ — — »-„ as 

the IP (internet Protocol) number or address, and 
responding network and computer names. In the past an 
10 internet user gained access to its resources only by 
identifying the host computer and a path through 

fiT*^ h ° St ' S St ° rage t0 l0Cate * -^-ted 

to se arch r ; s U9h Vari ° US naVi93tin ' >»- helped users 

L5 specific host addresses, these tools still require a 
substantial technical knowledge of the internet 

info Tt V e . WOrld " Wide Web < Web > i- a method of accessing 
information on the Internet which allows a user to navigate 
the Internet resQurces intui addresses 1 

0 other technical knowledge. The w.h „ • addresses or 

line utility* . f , 9 ThS Web di spenses with command- 
line utilities which typically require a user to transmit 
sets f dg tQ communicate wifch ^ - t 

nst ead , the web is ^ ^ ^^^^ • 

interconnected ..pages", or documents, which can be 
^splayed on a computer monitor. The Web pages are 
provided by hosts running special server, ! !«. 
runs these Web servers is r L , Software which 

a v sila M„ • 15 relativ ^y simple and is 



30 



3V ^ U . n . J ic ana is 

available on a wide range of computer m^r 

~.. ^. uy . W11 . M . is . jjz r:: f ;;r ing 

known as a Web "browser"' which i<= „« * . sortware, 
3 5 Internet communication. 
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•^JZT a l: IT the web is based on the ot 

ypertext and a transfer method known as "HTTP" 
(Hypertext Transfer Protocol) . HTTP is designed to run 

. ~: r = .:: r= r- 

processes it. one fnr»=f p ■ ^ y or 

one format f or information transfer is to 
create documents using Hvoer^vf u b t0 
- P.. are made uj ^I"' ' 

xo :; g t;™ :r at : how the page — - 

order to di splay th e I " th — C ° deS in 

related fu I ^ hypertext conventions and 

related functxons of the world wide web are described in 
the appendices of u s p a h 011 f » n . ln 

si ds a" . Hidden be " iM Pl«™» or 

( links"), to other pages with^ 

» =u»r =o. PUts « „ it j„ 9 the n t: n :r 7- — « — > - 

may be viau.il, „ , """rn.t. For sxanple, ii nko 

unLx™ l;;:: ni as words or phrases ™ - 

directed to a w H " COl0r " EaCh lin * i» 

rected to a web page by using g ^ 

(Uniform Resource Locator-i rmr a URL 

« go directly to any LL" L ^ 3 t0 

y --u any tale held on any Web servpr * 

also specify a known URL by writin" it dir ^' • 
command line on a W eb paae t Erectly xnto the 

The URr 3UmP t0 an ° ther Web P^e- 

The URL naming system consists of three parts- th 

transfer format, the host name of th. h 

30 the file anH *- l f the mac hine that holds 

may be: " " ^ ° f - ™> 

*ttp: //^. coJ Jege . uni v . ed u/^i r/sdir/cdli . /page >Atez ^ 
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wh er e -http- represents the transfer & ^ ^ 

two forward slashes (://) are used to separate ^ transfer 
format from the host name; "www.college.univ.edu" is the 
host name in which "www" denotes that the file being 
requested is a Web p age; VAdir/Bdir/Cdir" is « set of 
^rectory names in a. tree structure, or a path, on the host 
machine; and "page.html" is the file name with an 
indication that the file is written in HTML. 

The internet maintains an open structure in which 
exchanges of information are made cost-free without 
restriction. The free access format inherent to the 
internet, however, presents difficulties for those 

se n r f v°e r L ati °c n regUiring °™ ^ **«™t 

servers. Consider for example, a research organization 

that may want to make certain technical information 

available on its Internet server to a large group of 

colleagues around the globe, but the information must be 

lienr th With ° Ut mSanS f ° r id ^ifying -ch . 

20 Lf \ ^nization would not be able to provide 
20 information on the network on a confidential or 
preferential basis. m another situafcion/ g 
want to provide highly specific service tips over its 

i: :::i;;: ver only to customers — — — 

at leasTr C ° ntr01 ^ ™ 88rW is diffic ^ for 

for a flle reaSOnS " 3 CliSnt — S * "guest 

routed °? 9 rem0tS IntSrnet S6rVer ' that is 

rou t d relayed by a web Qf computers connected 

the Int net until . t reaches dest . nat . on host * 

client does not necessarily know how its message reaches 
tne server **■ *- L - 



25 



30 



without- t San,e time ' ^ SSrVer makes responses 

without ever Knowing exactly who the client is or what its 

IP address is While the server may be programmed to trace 

its clients, the task of tracing is often diff icult , if not 

35 impossible. seconds, to prevent unwanted intrusio into 
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private local area networifc itam\ 

orJCS (LAN) , system administrators 
implement various data-flow contmi 

J - xow c °ntrol mechanisms, such as the 
Internet "firewalls" w uk^ +. u • 

S ' Within ^eir networks. An Internet 
firewall allows a user to reach the Internet anonymously 
5 while preventing intruders of the outside world from 
accessing the user's LAN. 

Summary of the Tnvonf^ n 

serviir ""T i " VSnti0n r " at " t0 ° f Passing 

10 netvorK. m p articuiar the present i„„. nlio „ is applicable 
to Pr o ces cli . nt „ quests . n ^ mp 

! fe „ ' « t„. „ona-»id. „eb 

the Dre ,pn, «.„ „ requests. In a preferred embodiment, 

servL to lnVOlVSS rStUrning SI ° «» 

server to the client upon an jm>i a i 

20 by the client. A valj £ * ^ SSrV1Ce reqUest mad * 

identifier tn ^ My lnClUdS an »«**orl Z ation 

identify to allow a user to access controlled files 

J-n a preferred embodiment a nii^f 
with. . „ nlto „ „..„„„, ^ J; ' £ ""<= « -de 

-in, protects* tto „ ^ * "» tb. .1. 

r^est to an authentication server whi h T^'" 
3 0 different h ncr „ server which may be at a 

=U«nt and th .„ i„: es " n tU SID * " SP ° n " ta ^"^"e the 

■~ Client. the auth.nt £ ™ ~ v ™«< •»«*• . 

accouni- a ^ • server may open a new 

"count and issue an SID thereafter. A W1W SID typlo , Uy 
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co.pr„es a user identifier, an accessible domain, a key 

6 : a " 6XPiration "me such as date, the IP address 

of the user computer, and an unforgettable digital 
signature such as a cryptographic hash of an of the other 
5 items xn the SID encrypted „ ith a secret Key Tne 
authentication server then forwards a new request 
consxsting of the original URL appended by the SID to the 
1 ent xn a REDACT. The edified reguest f orlned by fnew 

When the content server receives a URL request 
accompanied by an <?Tn it- i 

user ip addT - ' 1095 thS URL With the S ™ -nd the 

d t h dr6SS ^ 3 transaction log and proceeds to 

XS conte nt ^ ^ ^ ^ ^ 8 ° th « 

co ntent server sends the requested document for display by 
the client's Web browser. display by 

clienrto^ PrSferred emb ° dilnent < a -lid SID allows the 
clxent to access all controlled files within a protection 
wxthout requiring f urther authori2ation A tSCtl ° n 

-° P^tection domain is defined bv f h . • 

a M n orf . aetxned by the servxce provider and is 

a collectxon of controlled fiipc „f 

within one or more servers P " tectlon 

validW" a th Client 3CCeSSeS 9 COntr ° lled WSb ^ ^ a 
5 l t " eWi " 9 Pa9e - y Want to traverse a 

link to vxew another Web page. There are several 
possxbxiities. The user may traverse a lin, ! 
oarto *-u erse a Imk to another 

page xn the same nat-h Thi- • 

A rpi a f , • 15 Called a "relative link" 

A relative Ixnk may be made either within th. t ' 

or to a riiff Q v. 4. within the same domain 

to a different domain. The browser on the client 

:; iative iink by — - ~ 
^nr for the - — ■ « - -"Lr 

Points to a page in the same protection domain the SID 
remains valid an^ *-k ' biD 

' reqU6St is ho "°red. However, if the 



ewSDOCIO; -WO . .9642MIA2 t. 



WO 96/42041 



PCT/US96/07838 



-7- 



35 



relative i ink points to a controll-d 
protection domain, the SID is no i 

client i« a .H- J ° nger Valid ' and the 

client is automatically redirer-i-or* * 

URL to the authentication ^ ^ — itte " 

5 unrt^n Utftentlcatl °n server to update the SID. The 

5 updated or new SID provides access to th P . • 

user is qualified. d0n,ain if the 

The user roay alsQ elecfc ^ ^^^^ 

document in a different Da th ™ ■ 

in gene ratin g a new a bso i^ " abS ° 1Ute 
» overwritten by the browser x ^e " ' T ^ 

the content server in eacn Preferred embodiment, 

Page within th. h SerVlng ° f 9 trolled Web 

foge witnm the domain, filters fh B 

current SID in .. cn absolute o„ f*" '° 

the „«„ , 1 . cl , t „ , URI - °" th « !>•»•• Hence, „„en 

e«bodi„ent, th. cont.1 d '«««nt path. i„ another 
procedure s I", ™ y »lt«in, 

o to th, . U th entioat i ™ r::;:«" — » 

"directed to the authMUoat ' • « qu est is 

— MO. An absolute linfc ai,.;,^""^' 0 ' P«=-»"9 of , 
1= accorded «„ i„ edl , t . , cc . ss Ct * d «" ""controlled m . 
5 In another embodiment, a , 

»i„ t ,i„ ad by progra „„ ing ■ ~y,Z s oontro1 ™ ay be 

«■> or , similar tag for use in k " *° 

particular server Th" Tk „ C ° th " 

=P*cial hro„,« which c,„ h" .:"'"' " C ""'"' """^ » 

«-.y hot suita e r h. ; t "; h — « * 
«-.=„ to the »eb. "andard browser r„r„,t 

Another aspect of th. invention i„ - 
fre g „.„ cy , na duration " to monrtor the 

oohtroued and ™«„ 1!e "I JT"'^ "<><* 

content server *ee P s . history „ f each cu" °' " 

r °r each client access to a 
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page includina th*> i 

client r. qu .s t s eiciusL « ~y ~»* th. 

a.o„ cl i.„t such ™P««t«d requests from a 

relationships betveen ™.t P»"ern, and 

P»,es ana access patterns ""^"^ « 

The above and other features of *- h • 
including varioug novel detai " s re o S f ° c f Q th ; lnVe " tio " 
10 combinations of parts will n ° fraction and 
described with re" Irene to 

Pointed out in the dalls ^wl™?' ^ 
particular devices and 7 understood that the 

shown by way ofTllZt 7 - b °<*y ing the invention are 

« the invention The or ^ ^ ^ " "»".«„„. or 

ion. The principles and features of thi 
invention may be employed in varied h 
—ents „i th c Ut d „ g ~ — , 

op.r.UoT 1 " ' " i ' 9 " > '""tr.tin, t„e „««« 

Figure 2A is a flowchart- h • . 
■etnod or Internet 3.;™°""' the preferred 

«*» - is , a ° :: ™ ana b " onitorin< - 

» aetaiis „ the authentication proc.Is " b1 " 9 

figure 6 is a diacJL d ! aUth ° riZation for. page. 

translation of telephone n the deta ^ of the 

telephone numbers to URLs. 
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Referring now to the drawings Fiaurp i * 

^T" of the Internet - » - ™ 

of millions of interconnected computers 1 2 including 
system owned by Internet providers „ J 

syste ms (BBS, 20 such as Compuserve or Ameri ca Online 
Individual or corporafce users estabi±sh 

the Internet in several ways . A user Qn g home pc *° 
Purchase an account through the internet provider 16 
Using a modem 22, the PC user can dial up the Internet; 
prov lder t onnect tQ a high speed ^ 

t er : fUl1 SSrViCe C ° nneCti - to the mternet. 
A user ia may also ma ke a somewhat lifted connection to 
the internet through a BBS 20 that provides an Internet 
15 gateway connection to its customers. 

Figure 2A is a flowchart detailing the preferred 

sL:::;:: the p r sent invention and ^ « es a 

sample Web page displayed at a client by a browser. The 
page includes text 404 which includes underlined lin k text 

FigurT. th t C tr ent PagS ' shown in 

Figure 4, the title of the page is "Content Home Page" and 

the corresponding URL is "http: / /content . com/homepage" 
When a cursor 414 is positioned over l ink text 4l 2 b the 
Page which would be retrieved by dicing a mouse is 
typically identified in . status bar 406 which shows the 
URL for that i ink . In this example 

shows that the UHL f or the pointed li nk 4 l 2b is dir Id to 
a page called "advertisement" in a commercial contenfc , 
30 server called ..content-. By clicking Qn ^ ^ ^ 

s r causes the browser to generate a URL GET reguest t 

10 V n FlgUre 2A - The bowser f orwards the req J st fco 
con tent server UOf wlUch processes fche q to a 

d ete rm g whether the reguested is a 

document 102 . If the request is directed to an 



20 



25 
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uncontrolled pa ge , as in "advertisement" page in this 
-ample, the content server records the URL and the IP 

TJIT' 6Xtent " ^ aVaUable ' in the transaction 

to the b C ° ntent S6rVer thEn S6ndS the «^«t- page 

to the browser 116 for display Qn ^ ^ ^ ^ 

If the request is directed to a controlled page the 
content server determines whether the hpt «- • 
ln , „ wnecner the URL contains an SID 

102. For example, a URL may be directed to , controlled 
Page name "report", such as - https //content . 

example, the content server sends a "REDIRECT" response 122 
to the browser loo to redjrpr-h t- h response 122 

"to redirect the user's initial reauest 
to an authentication server 200 to nht- ■ request 
detail r,e obtain a valid SID . The 

deta.ls of the authentication process are described in 
5 Figure 2B and will be discussed late «« » 

L p r ro :: s : he is r ? *~ <~ - —id": 

report" th , ntt P : //content. com/ [SID] / 

1 c . The preferrpri cm ; « . 
*. • F red SID ls a sixteen character a^tt 

' strxng that encodes 96 bits of s „ data/ fi ^J^/** 1 
character. It CQntains a a 

bit expiration date with a granularitv of , 
key identifier used for- v anUlarit y ° f °"e hour, a 2-bit 
er used for key management an n ^ 

co, pri3i „, . sat ot information 

SID authorizes access, and , 22 bit '"' r "" t 

with a secret kev u hi „ "* •"<»W»<1 

content servers " ""^ " "» »""-»«tio„ and 

If th. initial GET URL contains a SID th . 
«rv.r deter.ines whether the u 

within the current domain 10 6 If th. " lrei:t<id l ° * P"Je 

ia directed to a controUed pa g e „ f • 

P^ge of a different domain, the 
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SID is no longer valid and acrain i-h- 

to the authentication se^ ' 22 ^ " 

If the request is for a controlled page within th* 
current domain, the cont-on*- within the 

MM „ u st " " v l " =h Valida "- i"=»ud.. t„. ■ 

ing llst of checks: M) thp Qtr^, ^- 

is compared against the digital / " Sig ™ tU ™ 
10 remaining items in the SIO and \ h " " 

«- secret key shared b " " u ^I^-"" ^ 
servers- o> t- h ~ * • "tnentjcation and content 

' {2 > the domain field of the srn ic k . 
verifv thai- ; «- • ls cne cked to 

» «... th . ou „„ h : ™ " *> ~lry tn.t it ls Iater 

If the validation passes +-k~ 

«. to „. , or . ard J f r.„ ; - 

contained ther.in ii 2 th.ti. ,. 

» ™ ^ , ug ,. nts ™ ;™ The 

SID to facilitate .uth.ntic.t-. curr.nt 

100. 99 the entire sequence again 

Figure 2B describes the details of ^ 
P-cess. The content server ^ "l * he authentication 

authentication server. The R LL r T ^ ^ " 

- "-p://a Ut , COffi/authent : t ^- 

content.com/report-. That URL ^ " 
specifies the domain and the ini J URL 

the REDIRECT, the client browser automatical rSSP ° nSe "° 
request with the provided URL. aUt0,natlCaU * ""d. * GET 
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the auth.nt ^ rSdi " CtS ^ «»«t to 

" ' "* •"thori,.tio„ process bv v.ziaatino that it 

» -"tinrr cont ° nt ~ w - a 

□ uuientication required fnr *-k« ^ 
Depending on this level th I 2 ^ 
212 for credentials If th ^ ChallSnge ^ 

server s.nas . "CHALLENGE" res" ^ "f-ticticn 

15 provide a password thl U "" ^ U " able t0 

password, the access is denied. The browser 

forms an authorization header 300 from th ! 
provided ° from the information 

» ■««P.//««h. M/ r« e ticat.L * °" " qU " t ™ y 

"ntont .co.,report ,„TV\ " ' °™' in ' / 

be • "AUTHORI2F *h '""Nation h.aaer «„ 

AUTHORIZE: [authorization]". 

Upon receiving the GET request t-h- <-u 
•erver g u. ri . s a „ „ ccount „ •«th..„tic.ti„„ 

» tb. user u authors 2l8 to t ' """"" 

Oocu-ent. A preferred account Itab., 

P-poses, sue as client „ .aaress and o ' 
- »«• de„o g r,phic intonation s uch as u, ° " 
» caress, hobbv, „ r occupation, f or " 

-v.r. Ir th e user is autho i .a, ^ 'sT^ "* 
" »"vious ly aescribea. „ tbe u ."a not J'"", 
autbori.ation, tb. authentication server che« s t 
the user qualifies fnr- . checks to see if 

or a new account 220 Tt- 
35 not qualified ho ™„ the user is 

tlea to °P e " a new account a n*r, Q ^ 

^' a pa ^ e denying access 



BNSDOCID - WO 964204 1A2 ( 



WO 96/42041 



PCT/US96/07838 



-13- 



222 is transmitted to the oii^*- u 

uo tne client browser 100 Tf *-h~ 
is qualified f-ho » . the user 

inust„t,: ;„ g ;: 5 t " sent ■ r °™ ™° ™- - 
» p« S o„ax i„ t „„ atio r i ;«;:r r :r " ampl " requi - 

Th. bro„s« is ,bl„ * Z r * fs """ s f "« U>e user, 

us.r in fn '"ns.it the data entered by th. 

user in tbe blanks 502 as a "post- 

authentication server. A POST me ^ ^ 

to be sent to the sp 9 " CaUS6S f0rin stents 

XO o f the URL If the r " 9 *"* ° th « » 

user is v alid 22 an 91 rati ° n ^ ° Ut * new 

^ iS tr at i: r::::; 1 ? sid is generated ™- - 

An SID fn, SS 13 3gain denie d 222. 

230 to the -thorized user is appended ("tagged.., 

<*30 to the original URL directed l-o =, 

15 the content server The f . ^ ^ ° n 

. r - The authentication server then 

transmits a Redirect response 237 h„ * 

to the client b™ ° n the ta 99 ed URL 

he client browser 100 . The modified url, such as 
htt p://content . com/[SID]/reportii ^ such as 

forwarded to the content server 120 

20 involvZlhl'ac^rirr ? tyPiCal — — ver exchange 
Present Lent^ J ^V"^- ° f «» 

bowser transmits a CET re^t thr H " 9 • 

uncontrolled page (UCP) T or ' " ""^ *° r 

» -n advertisement 9 P g e y t^ s "' ^ ~* 
--ent.com/advertislentrwhelll^T "^-^ 
server name and "advertisement" L 2T ^ ^ 
— ■ Xn Step 2, the content server 52 "rle" 11 " W 
request and transmits the request J J Pr ° CeSSes the GET 

30 The content server also logs the get ^ ' '^"—t". 
^. y cne G ET request in f ho 

transaction database 56 by recording the url th , ■ 
address, and the current time. Cl " nt IP 

In Step 3, the user on the clio^ 
traverse a linK in the advertisem ent " ^ ^ 

35 controlled page (CP, For T ^ dlreCted to a 

ge (c P ) . For example> tne advertisemenfc 
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»y cont.in . llnk to . controls page called . 
Sel.ct.ng this Unk caasas th „ „ • 
• «T r. quest t „„ ugh , URL „hic„ i« 

» 5 r 2 ii : e :r tp;//oont '" t o "'"-""- - ~ 

server 52 determines that the request i <= «-„ 

«. «- tn at tha raL doas „ ot J n » — , ™- 

the content server fran^^ t-cep 4, 

server transmits a REDIRECT response to tho 

"http://auth.com/authenticate^domain-rH„ • 
content.com/report- C main ] &URL =http: // 

The authentication server 

» -t a „ ln . s „ hether _ cr :;; : I - 

transmits a "CHALLFMpph ^ n server 

CHALLENGE" response to the dionf 

bfo» ssr to the authentication .erver p 

- ...in, auc h .„ * °» 

nttp: //autho. com/authenticate,^ • 
content.com/report and ^^C^TT^^ ' ' 

Processes the GET reguest by checl q th A °" 

If a valid account exis y ts Ch f e o C r kl t n h 9 ACC ° Unt ^aoase 

issued which authorizes access to t h ^ ^ 

"report" and all the otH controlled page 

A s previ i other pages within the domain. 
As previously described, the preferred STn 
compact ASCII string that encodes a , , comprises a 

current domain, a key ^ the " 

cue n t ip address , and an unforg ; able ; pir r; on time ' the 

In step 8 the a„*- h «- ■ • rgeable d^ital signature. 
' Cile authentication server r-^ i 
35 to the tagg ed URL »ht-,- , , redirects the client 
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10 



the client. In Step S, the tagged URL is automatically 

fo rwarded by the browser as a get reguest to y 

lent XP 10 "!" 913356 " ^ reC ° rding ™- th. 

client IP address, and the current ti». m Step !0 the 

conte t server, upon. validating the SIO, transits 

requested controlled page ..report" for display on the 

client browser. 

contenTr 1 " 9 ^ ^ ° f ^ PrSSent Mention, the 

content se rver periodically evaluates the record contained 
xn the transaction log 56 to determine the frequency and 
duration of accesses to the associated content server. The 
server counts requests to particular pages exclusive of 
repeated requests from a co^on client in order to 

' LTr t ine ° f in '™«o„ on different p age s 

for ratmgs purposes. By excluding c £ * 

system avoids distortions by users attesting to "stuff the 
ballot ^x.- m one e.bodiment, the time intervals 
between repeated requests by a con)mon client are 
to exclude those requests falling within a defined period 

Additionally, the. server may, at any given time track 
access history within a client-server session. Such'a 
h-tory profile inform the service provider about l ink 
transversal frequencies and li nk paths foli owed by Zl 
S Pr ° flle iS * ^tering transaction logs frora 

^™ ™ drr oniy transactions "~ ° : 

corresponding to re u s s £ lZ * "* ^' 

ron ^ . requests from a given user in these Iocs 

represent a llnk traversal frQm 

-de by the user in question. This information may £ ^ 
to identify the m ost popular li nks to a specific page and 
to suggest where to insert new li nks to provide more d^ct 
access. m another embedment, the access history is 
evaluated to determine traversed li nks i eading t J a * 
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purchase of a product made within mn. 

^ w j. Linn comniprn ai ~ „ 

^formation may be used , for examp This 
advertising based on the number q£ ' J h ««- 'or 
advertising page to a product page or Led 

5 :~ <™ a Path p i nc ;; d ; e he ° n the ~»« - 

advertisement. m this embodiment 5 
the effectiveness of advertising ^ 
sales that rested from I pa J 7™*"^ . ^ ^ <* 
of links. The svstem ™ „ rtlCUlar Page, link, or path 
10 merchant for an advert ~ nfi *™ to charge the 

sales that ^i™^" 5 " ^ <" «* 

According to another aspect of t-ho 
a secondary server, such as L 

» ^gure 2B , may access a prearranaed tlCatl ° n SerVSr 2 °° 
15 the account database 216 ^ * User Profile from 

such a profile In t he lnClU<3e ln '°"»««>n based on 

3X0 to customi ze user ^^^^r 
per S on ali2ed content base d on th! , 
20 the SID. hS USer ^entifier field of 

In another aspec t of the invention f-h 
access to do main of servers cont, galn 
Publications through a sul « Z ^ " 
the user may purchase the subscrW " SitUati °"' 

25 access to on-line documents th7 h " "° ^ 

^ins access to a subscri^L d ^ ^ US « 

through the authori Z atIon T^:;;;;! 0 ;- ^ 
where an authorization indicator ls " ^ 
a session identifier - m an * Preferably embedded in 
30 re lying on a prepaid ^ubscr~ "".or than 

and billed each time he or sh ^ ^ * 

document through the Xnternet I 7'"" * 

•nay not be required so long as th CaSS ' aUthoriza tion 

in order to be charged fo/the ^ 



The user 
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identification is most a Ppr0 p riately embedded in 
session identifier described above 

5 nu mbers or otner identlf L rs : o 1ZS COnVenti °"^ telephone 
These m erchant service, " Services " 

SIOs. In a p' efe T ° Pti0na1 ^ b * Protected using 

in a Preferred embodiment *q • . 

Web browser client 601 provides a dia ! " 9 
a telephone number fro, a user as TLT^ ^ 
10 icon and inputting the tele.h Clicki "9 °" a "dial- 

keyboard The b tel «Phone number through the 

"htto WS6r thSn const ™cts a URL of the form 

http:// dlrecto ry.net/NUMRPp.- k 
to , . y net /NUMBER», where NUMBER is the 

telephone number or other irtonf . f . 

N UMBER r.c.u.stea i„ „.„.,,. , y 602 ■ """^ the 

server 601 th.t „r T """"^ »Y directory 

Once NUMBER is receive h, 

nt that ^plements the service CO rro= n J - 
NUMBER. This tranci^- ervic e corresponding to 

— . «^«rr«™jz:wTr tion °' th * 

significant. rentnesis or dashes are not 

In another embodiment an identify,- -u 
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cli.nt 60!, specnymg th. t.r,.t URL tor number .. 
5 =o„p u t.d rro» d.t.b... 6M . Th. cU.nl hr 

„ . ^ . AIie client browser 601 then 

utomatic lly sends Mesgage 3 ^ ^^^^ the 

URL. Merchant server 603 returns this infection in 

S t S h T : , The — 602 have returnee, a We. page 

to the chant to provide an appropriate lin* to the 
10 required document. However h 0 „= 

tran«n»n «. How ever, because server 602 makes a 

translate to a final URL and sends a REDIRECT rather than 
a Page to client 601, the document of message 4 is obtained 

15 ordi WL C ° ntained in Message 3 can be an 

15 ord nary URL to an uncontrolled page, or it can be a TOL 
that d es a controned page if ^ 

describes a controlled page then authentication is 

d l r crIL ed a a u S Rr;H ViOUSly ^ T "* rt ™ «" 

20 inClUd6S a " SID that Provide, a 

20 preauthonzed means of accessing a controlled page. 

Among benefits of the "dial" command and its 
implementation is an improved way of accessing the Internet 
oth r\ S d C °; P ; tible » ith "ional telephone numbers and 

» P r nt or t : MerChantS ^ "° t t0 th.ir 

print or television advertising to provide an Internet 

in the approach a single merchant server Can provide 

30 zzi servic r that correspond to dif — 

telephone numbers" or other identifiers. For example if 
users dial the -„i g ht arrival" number they could Z ' 

™ " ^ arriVal ^ they 

the UR^ f r re tT Va W ° Uld bS * 

35 numbeTc! dt T^^^ * ^" ' 

e directed to a controlled page URL that 
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would flrst authenticate the user ^ 

users group, and then would ^^.^ J ^ gold 

gold .. p age . An unpublished ,, mbassador „ numbe h ; ou r d ri b °; ity 

greeted to a tagged url that p ermits access to the 
5 "priority gold- page without usef authenticat . on 

Thxs invention h as particular application to network 

0 Equivalpnt-c- 

Those ski i led in tne arfc ^ , 

i: ::: t ;t 9 tr more - than routine --«, o man v 

dLrlbld he SPSClflC erab ° di - nts - the invention 

described herein. These and all other equivalents are 
-tended to oe encompassed by the following clail. 



WO 96/4204 J 

PCT/US96/07838 

-20- 
AppenHiy 

/* TclIdSid 

Scans an ascii line and finds an ascii SID f„ 

* Inputs: SC11 SID - < no validation though) 

* lineoftext 

* Returns: 

* "cii bi „_ sid . if a sid is foimd ^ ^ 

*/ 

int Tel Ids id ( Client- ^ 

aitiientData dummy, Tcl_lnterp *interp, 

int arg C( char **argv) 

char *sidp, * cp ,- 
interp->result [0] = 0; 
if (argc != 2) 

{ 

interp- result = .. wrong # args „. 

return TCLERROR ■ 

) 

sidp = (char *) strstr(argv U J, 

if (sidp == nu ll) return TCL _ 0K . 

cp = (char *) strstr(sid P+ i, -/")- 

if ((cp „ null) && (Btrlen(sidp)' 19)) „, 

if (<cp - sidp) r_ 1QI k " return TCL OK; 

f siap) i_ 19) return TCL 0R - 

strnc P y(interp->result, sidp, 19), -~ 
interp->result [19] = 0; 
return TCL_OK; 
I 



/* 

* Register commands with interpreter, 
int Sid Suplnit(Tcl _ Interp ,. nterp) 



Tci Crea teCoramand ( interp, » Da clc= i * « 

Tcl_CreateCo ram and ( i„ te rp Ca^H" ™ : 

Tcl_Creat e Co mra an d(int erp, ..unpack ' 

P CkSldn ° Valldate "' TclUnpacksidKoValidate, 

Tcl_CreateCom m and(interp. » issid „, 

return TCLOK; iclldSid, null, NULL) ; 
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* compute_ihash 
* 

* C °7 Ute thS MD5 tor the specified stri „ g . returning the ^ 
a 32b xor of the 4 hash longwords . 

* Results: 

* hash int. 
* 

* Side effects: 

* None. 
+ 

V 

int compute_ihash(char *str) 
( 

MD5_CTX md5; 
unsigned char hash [16 J ; 
unsigned int *pl ; 
unsigned int hashi = o ; 

MDSInit (&md5) ; 

MD5Update(&md5, str, strlen f str ) ) ? 

MDSFinal (hash, &md5) ; 

Pi = (unsigned int *) hash; 

hashi = *pi++ ; 
hashi A = *pl++; 
hashi A = *pi+ +; 
hashi A =r *pi + + ; 
return hashi; 



/* 

* ticket. c 



* Commands for TICKET. 
* 

* Copyright 1995 by Open Market, Inc. 

* All rights reserved. 



ion and 



* This file contains proprietary and confidential infonnatic 
renins the unpublished property of Open Market. Ine Use 

^ express written Ucense agreement with Open Market, lnc . 
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* Steve Morris 

* morris@OpenMarket.com 



* Created: Wed Mar 1 1995 

* Source: /omi/ proj/master/omhttpd/Att . 



c/ticket . c, v $ 



/ 



ffif defined (lint) 

static const char rcsid [1 =» SHe ari„ / . 
tfendif /*not lint*/ 

^include <=stdio.h> 
^include <sys/utsname . h> 
^include "httpd.h" 
^include "mds.h" 
#include " ticket. h" 

static TICKET Servpr T ;„i, _„ 

server TicketServerData; 

; - . u ch . tlctet/>u ^ ^ ^ ^ 

* The region com ma „ds RequireSID and xxxxx ca „ 

* access to groups of f iles bs ^ ^* can be use d to l imit 

* - two commands are s ; a ; n i h ; of the requestor . 

; Present the aut hentication data th- method used to 
fai ling access case por failin ;; ^ — ^ „ andling of the 

*ener a ted. For £ailing (or '« * authored- message is 

i- Performed to forward the 3 or via 

SSrve - d reqUest fc ° an authen t ic ati o„ 

* 

; RequiresiD d - inl (doraain2 . domainn] 

This command denize 

«j uenies access unle<;<? hi^ 

be used for a given ion «^«eSID or xxxxx command c an ■ 

' th ° U9h " «*°"Y -ultipl. domains. 



*/ 



static int 



Proc essRequires(CUentData el 

■-a. ici_lnterp ♦interp. 



static int Do^inM,^..,. lnt argc, char - £ 



Do mainNamecmd(cl . entData cU a !!r' int fiavor) ' 

A c-L_lnterp *interp 
static int p^i-r. . lnt ar ^ c ' ch ar **arov) 

G etDora axn(ch a r ^domname, int dflt); ^ 



0NSDOCIO: 'WO 964204 1A2 I - 



SUBSTITUTE SHEET (RULE 26) 



WO 96/42041 



PCT/US96/07838 



-23- 



• tatic char -GetAsciiDomain <char * domn an,e. char Mf lt , . 

static int co m puter_ihash(char *str). ' 

static char *computerHash(char *str) ■ 

static char 'GetSecret (int. kid) , 

static int G et KidByKeylD(char *k eylD) . 

static char 'CreateSid <HTTP_Reque St 'reqPtr int „ . 

- i reqPtr. int dom, int uid, int kid, 

«,,.... . lnt ex P- int uctx) ; 

static void freeTicketReqDatafvoid -dataPtr) • 
static void Dump Status(H TTP_Reque S t -reqPtr) ' 

static void T XC KET _ DebugHoo ^ (CUentData cu ; ntDataj ^ 

-tic. int ParseSid.H^^JT^X;" 

static int ParseTicket (HTTP_ Req u e s t -reaPtr) • 

static char *f ieldParse (char .. tr char e *r. ' k 

void TICKET_ConfigCheck(, ; ? ' **" ** end Ptr) , 

void DunipRusage<HTTPJleque«t *reqPtr) ; 



* TICKET_RequireSidCrad -- 

* 

Checks that the requested URL is authored via SID to 

region, if the access is not a „i-h • , aCCeSS this 

authentication server^eg! Jr^ iT ^ " ^ *** ^ * 

is returned. If a 're J , ^V'^ 2 ^ 

declared, we redirect to that server h " ^ 

required domains as argents PaSSX " 9 ^ "*». t .d URL and 

* Results: 

Norcal Tel result, or a REDIRECT request. 

* Side effects: 

Either an "unauthorized access" 

ccess message or a REDIRECT in case of 



error 



int argc, char **argv) 

if (Tic.etGlobalDatafEnableSidEater)) return TCL OK 
return (ProcessRequiresfclientData, int erp 

j ncerp,arg C , argv, ticketSid) ) ,- 
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* ProcessRequired -- 
* 

Checks that the requested URL is authorized 
region. The error r.»=» "lorized to access this 

authentic!" Sl °' S ' " ^ '° **' if «. operating in "local 

* mode"", if W(a 

are. we generate a new SID , into the ^ ^ ^ 

-oteauthLTiL;: " l0Cal " m ° de ' ^ l0 ° k f ° r the of a 

server, if we have dec iared (in t-h 
!»■ (1 " the COnf ^ REDIRECT to it 

the FULL url snr? = t < ^ 

3 ° f «ould have been legal if 

authentication server was r 

was not found we return an error message 

* Results: 

Normal Tel refill- ^ i 

result, a local reprocess co mman d. or a REDIRECT request. 

* Side effects: 

• m<a «t tal .„ .^ n „ d ,„.„. m _ REDIRECT ,„ .... M 



( «t argc, char .*argv. int flavor)' 

HTPP_ Request ♦ reqpt 

HT TP _Server -serverPtr " *' CUent ° ata ' 

TICKET_Request -ticketPtr; 

DString targetUrl; 

DString escapeUrl; 

int i, required_doni; 

int firstLegalDom = -i ; 

char *NewSid, * C p ; 

DStringlnitlttargetOrl).. 
DStringlnitl&escapeUrl); 

/* fetch the server private and ticket sne,f 

serverPtr = reqPtr^serverP,. . P6ClflC exte "*i°n data ./ 



reqPtr=>serverPtr,- 
"CKetPtr = (TICKET Request *) H T a.-. 
TicketServerData.tic ~ HT - Get *e°BxtData (reqPtr, 

ASSERT (ticketPtr mLL} . 
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/* compare the requesting SID/TickPr.nnM - 

/* a match 0R any valid Lain 7 ;r ; d a d u 0 orized iist ° f aomains v 

su 3 ^qu^red domain of TicketFreeArea is 

f°r {i = l; i c argc; 

{ 

required^dom ^ Ge t Domain (a rgv [i] - 1} . 
if (reguired_dom '= -i) 

{ 

if (firstLegalDon, „ f irstLegalDom . d 

xf ( <ticketPtr->sidDo m „ required dom) ^" d -d«». 
<ticketPtr->v a ii d && , tick e tPtr : >sidDom != && 
reqW ed _ dom Tic k e t Global Data(FreeArea))) .. 
((txc fcB tPtr-> t ic fc e t D«„ M required dom, && 
(time (0 J <= ticketPtr->ticke t Exp) s& 
«">StringLa^ t h( fctick etPtr-»ticketlP) - 0 , P 



(strc m p(D St ringV a lue( tt ic k e t p tr . >ticke ti P) 



DStringValue f&reqPtr- 



) 



( 

DStringFreel&targetUrl) ; 
DStringFree UescapeUrl, ; 
return TCL OK; 



/ count the number of domai „ crossing that cau. H 

if ((flavor == ticketSid) «/,-•.. re-auth */ 

txcketSid) <ticketPtr->sidDon,) .= ,„ rt .. „„ 

i) IncTicketCounter (Cou 

/* authorization failed, if this was a sid url 

/* or this was an access to the free area J ^ " 

I* insert a new sid in the url. and redirect k u 

if <Tic k et 0 loba 1DBta(EnablaLocalAuth ^™ ECT b3Ck to ^ client B? 
UfirstLegalDom „ TicketGlobalData (FreeArea , , 
^ « (flavor „ ticketSid, « (f irstLegalDo. 

if <<DStringLength(SreqPtr->url) != 0 ) && 
^ (DStringv a lue(&reqPtr-> U rl» [o] != -/')) 

HTTP_Error(reqPtr, NOT_FOUND, "access H„n< * . 

DStringFree UtargetUrl); t0 P oorl V formed url-),- 

DStringFree (fcescapeUrl) ; 
if ( !ticketPtr->valid) 

DStringFree (sticketptr- >sid) ; 
return TCL_RETURN; 
) 

Newsid = CreateSidlreqPtr, 
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firstLegalDom, ticketptr->uid, 

Tick e tGlobalData(Curren tS ecret). TlcketGlnh-m . , 
ticketPtr->uct x ) . T "ketGlobalData (LocalAuthExp) 

DStringFree(&ticketPtr->sid) ■ 

DStri„gAppend( tt ick e tPtr->sid. NewSid -i, . 

Co„,poseUR L ( req p tr , D Str ingValue( & re q Ptr->url) „ 

IncTicketCounter ,Cou„ tL ocal Redir J s) ' ' > 

l™f n T T T qPtr - REDIRECT ' "^W-Ufr^arl,,. 

DStringFree (&targetUrl) ; ' 

DStringFree (&escapeUrI ) ; 
if ( ! ticketPtr->valid) 

DStringFree (&ticketPtr->sid) ; 
return TCL_RETURN ; 



/' T°T7° n faile<3 ' tUUd ~ CT ™ arg's V 

if DS t r ^ ■» tta »"«tlcn server V 

{ — n 3 - ngth(tTicketGlobalData(AuthServer)) j= o> && ^ _ ^ 

if ((DStringLength( &reqPtr . >url) QJ && 
^ fDS t rin g VaZue( &req p tr - >urI) [0] (= , /t)) 

HTTP_Error(reqPtr, NOT FOUND , "access d.m s s 

DStringFree ( & targetUrl7; t0 P °° rly formed «rl-) f 

DStringFree < tescapeUrl) ; 
if ( • ticketPtr->valid) 

DStringFree (&ticketPtr->sid) ; 

return TCL_RETURN ■ 
) 

DStringAppendf&targetUrl DShrinM; i , 

^ringAppend^aJUrl.' ^^^^'-"^-^balOata.Au^Server, > . 

ComposeURL(reqPtr noi-ri^'! 

Sscapeun (.escapeOrl^ ' ' ^ ™ 

L\^i n ? pen ? ,6tar9eturi ' Dstrin9vaiue,t -«p e ^» -1. ■ 

DStringAppeal^targetu^ , tdomain = „ ^ 1 »- 

DStringTruncUescapeUrl, 0); ' 
DStringAppendf&escapeOrl, •'[= .j) . 
t°r d-1; i < argc; i ++ > 
( 

CP = GetAsciiDo m ain*argv t iJ, mLL) . 
If (cp != NULL) 
( 

DStringAppendt&escapeUrl, cp, -x) , 
DStringAppendCtescapeUrl, " -, 
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% DStringAppend(&escapeUrl f »}«, . 1} 
EscapeUri UescapeUrl) ; 

DStringAppend(&targetUrl DStrinM, i , 

^ringFreeUescapeUrl, ;- DSt "^alu e(& escapeU rl , . . v , 
HrTP_Error(reqPtr, REDIRECT. DStrinav,, , 

DStringFree(&targetUrl) ; 
if ( 'ticketPtr->valid) 

DStringFree UticketPtr- > sid ) , 
return TCL_RETURN • 
■ } 

/* authorization failed if t hi ■ 

/♦ reason and handl vi a ' a redirect^ TTl^"" 5 ' <** V 

/* no access message V a " dler ' ° r P unt « V 

if ((flavor „ ticketTicket, && (f irstLegalDom |= . 

I ■ il it (t i<*etPtr->ticketD 

/* check For IP address restrictions V 

(Dst rl n gLe n gth(&xicketGlo °» « 

DStringAppend(&taraetnr-l nci- • 
DStringA PP end(& t argetUrl DSt-rir^', i ', 

return TCL_RETURN ; 



/* check for expired tickets */ 

if (time(0) > ticl<-AhDt->- w . 

^ > clcK:etp tr->ticketExp) 

DStringAppend(& t argetUrl D c hH „ 

03tringA PP end, & targe t ari; DStrW^ ^ 

D 3tringA P pend( &targetUrl( ..J^" 9 ^* ^ ^ >£ ^*>' "D ; 
DStringAppend(&targetUrl f • DStrinav*! 1 

I nc T i Ck etc OU n ter(c _ tExpi :;;;xtr reqp " ■ - 1 * - 

HTTP_Error(reqPtr, REDIRFPT no- • 

DStringFree f&targeturi) Mt '"W» ("argetUri, , , 

return TCL_RETURN • 
) 

} 
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/* no handler, punt a message */ 

HTTP_Error<reqP tr , FORBIDDEN, "access dm ' 

SSS dGnied ^ Re ^e ticket/sid region 

IncTicketCounter (CountNoRedirects) . 

if (!ticketPtr->valid) 
DStringFree(&ticketPtr->sid) ; 
DStringFreef&targetUrl) ; 
DStringFree(&escapeUrl) ; 
return TCL_RETURN- 
) 



/* 



Get (Ascii) Domain 



These routine performs an ascii to h< 

indexed b y , key ,, f _ ^ ^ »" ^ 

* pair's are loaded into the catalL T ' Name/ number 

* with the ..Domain- o^^^ °* " «*9°»<=ion time with the 

* . P o inter to . characte r s n ° g n :::r r t The Aacii version — 

* The non Ascii V er S i on returns L^ t . d ° main nUmber " 

an xnteger representing the domain number 

* Results: 

* Integer value of domain if ^ ^ 

«»■ If no domain is available, returns deflt., 

* Side effects: 

* None . 



^atic int GetDo.ain (char * dom na m e. int deflt) 

HashEntry 'entryPtr; 
DString DomName; 

DStringlnit(tDomName) ; 

DStringAppend (DomName, domname, -i, . 

strtoiowerlDStringValue (DomName)); ' 

entryPtr . FindHashEntry ( tT ick e t S erverData n™ • 
DStringValue ( tDomName ) ) ; ™erData . Domains . 

DStringFree (tDomName) ,- 

if (entryPtr == null, return 
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return (int) GetHashValue (entryPtr, . 
static char * Cet A scii Domain(char -domname, char * deflt) 

HashEntry *entryPtr; 
static char buffer [64 J ; 
DString DomName; 

DStringlnit (tDomName) ; 
DStrxngAppend (DomName, domname -i> . 
strtolower(DStringValue (DomName) ) - ' 

entryPtr = FindHashEntrv ( tTirlronc 
DStringValue (.DomName, , ; ^ ( " 1 ^ tS ^^a.D«l M , 
DStringFree (&DomName) ; 
if (entryPtr NULL) return deflf 
sprint f (buffer, »*d» n„M „ 

return buffer; ' ' GetHashVal - (entryPtr,, , 

} 



* TICKET_In Ser tLocalSid -- 

+ 

* Given a URL, inspect it to see if ,• ► « 

* if it does, and it does not III V " ^ ^ serv «/port 

* - current r equest ^^LT^ 3 T' ^ « " 

; a ra atc h with and without the pc ^ s ^^ °° we Xoo* 

* Results: 

* None . 
•* 

* Side effects: 

A SID may be inserted into the URL. 



"—.u™,™^^ .„ qier Ds(ring >rmiei " 

HTTPjerver *serverPtr ; 
TICKET_Request 'ticketPtr; 
char tmp [3 2 J ; 
DString patternl; 
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DString pattern2; 

DSt ring tmp_url ; 

DString 'hitPattern * NULL; 

ticketPtr „ (TICKET Request *) HT G.hp * , 
TicketServerData.tic " HT - Get ^gExtData (reqPtr , 

if (ticketPtr == NULL) return; 
serverPtr - reqPtr- >serverPtr ; 

DStringlnit Upatterni) ; 
DStringlnit (& P attern2J . 
DStringlnit (&tmp_url) ; 

DStringAppendl.patterni, -http://- _ 1} . 
DStrmgAppendf&patteml nst rinnV , ' 

DStrxngA Ppend(&pattern ^ ^ ^ rt > ' 

if UDstringLength (result) >- Dqf - H n , 

DS tri „ gLengt hitPattern = 6patt ^ ' DSt "^ al ue (result, . 
else ' 

« (<s«verPTH-.> Mrv . rjort „ B0) && 

(DStringLength(result) >- DStrj„M 

<-nca S ec mp(DstringValu (&pat e r 9 „ 2 T 9t D h : Pattern2) ' " 
OS t r ingLe „ gth hitPattern + J^.^'' DSt ^alue, resuat) , 

if (hitPattern ! = null, 
{ 

DStringAppendfstmp url DStri nn«=, ,,_ 
D Strin 3Append(tmp P - rl/ ' Dstr L Q lT U ! Pattern '' - 1 ' 

(OStr ingLength (hitPa P ttern ', ] £DStri "^ 1 - '-suit, 

DStringFree (result) ; 



DStringAppend (result, 
^ringFree (&tmp_url) 



DStrinaFr,^^ <^P_url , , ^ ; 



) 
/* 



DStri ng Free( &P atterni) i 
DStringFree(& P attern2) ; 
DStringFree (&tmp_url) ; 
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* CreateSid -- 
+ 

This routine takes the 

* Results: 

* A sid. 



passed arguments and creates a sid. 



* Side effects: 



*/ 

char * CreateSid(HTTP_Re g ues t * reqPtr 
int uctx) ' 

{ 

int bsid[3] = {o,o,n} ; 
char temp_str [512J ; 
DString hash; 
int act^hash; 
static char sid [64] ; 
unsigned int expi re _tin,e ; 
char *secret; 
char *hashP ; 
char *cp; 

unsigned char +ecp ; 
unsigned int eda, 
int endian = i ; 

DStringInit(&hash) ? 
expire_time »time(0)+ exp ; 



int dom, int uid, int kid, 



int exp, 



put_jsid(dom_lw, 
put__sid(uid_lw, 
put_sid(kid_lw, 
put_sid(exp__l W/ 



dom_pos , 
uid_pos, 
kid_pos , 
esp__pos , 



(exp lr e_time»exp_shf t__amt) ) 
putrid (uctx_l W/ uctx jos 
Put_sid(rev_aw # revjpos"/ 

secret = GetSecret (kid) . 
ASSERT (secret ! = nuu,,'. 
DStringA PP end(&hash, secret, -i) ; 



dom_mask , 
uid_mask, 
kid__mask, 
exp_mask, 

uctx__mask, 
rev^mask, 



dom) ( 
uid) ; 
kid) ; 



UCtx) ; 

sid_rev_2ero) 
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DStringAppend Uhash, DStringValue ( &rea P tr 

DStrmgAppendfthash, temp_ str -i) - 
/* for mat of the hash string is ^OB X fo^ 
secret , ip_addr , bsid [2 [ , bsid [1 
hashP = DStringValue (thash) ; 
act_hash = compute_ihash(hashP) . 
while ChashP . . o) * hashp++ J Q; 
DStringPree'(&hash); 
/* fi^endian( & act_ha S h, ecp , eda) ; */ 



• put 



_sid(sig_l w , sig^os, sig__ mask , act _ nash) 

/ 



/* fix__endian( & bsid[0], ecp, edaJ 
fix_endian(&bsid[l] / ecp , eda) 
fix_endian*&bsid[2] , ecp, eda) 



#if (l == o 

DumpSidf) ; 
#endif 



c P - radix64encode_noslash((char *) bsid 12 , 
strcpy(sid, SID_prefix); ' 
strcat (sid, C p) ; 



free (cp) ; 
return (sid) , 



compute^hash -- 



Compute the MD5 hash for the soecifi^H . ♦ 

• 32 b xor of the « hash loIZl ' " ^ 



* Results: 
hash int. 



* Side effects: 
None . 
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*/ 

static int compute_ihash(char * atr ) 

MD5_CTX md5; 
unsigned char hash [16] ; 
unsigned int +pl ; 
unsigned int hashi = 0; 

MDInit(£md5) ; 

MDUpdate( &md 5, (unsigned char *, 8tr Qh 1 , 
MDFinalfhash, &mdS) ; ' strlen (str) J - 

Pi = (unsigned int *) hash; 

hashi = +pl++. 

hashi % +pl++ ; 

hashi A = *pl++ ; 
hashi *pl++ ; 
return hashi; 
} 



PCT/US96/07838 



computeHash -- 

+ 

* Compute the MD5 hash for th 

* a 32-character hex string. " Strin 9< returning the hash 



* Results: 

tring. 



Pointer to static hash strir 



* Side Effects 

* None . 



*/ 

ptic char 'computeHash (char *str) 
int i ; 

MD5_CTX md5; 
unsigned char hash [16] ; 
static char hashstr[33] ; 
char *q ; 
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MD5Init UmdS) ; 

MD5U P date( & md5 ( (unsigned char *> 8tr , strlen(str) ) ■ 
MDSFinal (hash, &md5) ; 
q = hashstr; 
for(i=0; i<16; i++ { 

sprintf(q, »%02x\ hash[i]) ; 

q += 2; 

) 

*q = ' \0' ; 
return hashstr ; 



/* 



* TlCKET_ParseTicket 

* Called by dorequest, before any region co mm ands or mount handlers 

* have run. We parse and handle incoming sid's and tickets. 



* Results: 

* None . 
* 

* Side effects: 



*/ 

int TICKET_ParseTicket(HTTP_Request *reqPtr) 
int status = HT_OK; 
IncTicketCounter ( Count To t al Ur 1 ) ; 
status = ParseSid(reqPtr) ; 

if (TicketGlobalData(EnableTicket, && (status = = HT OK) ) statu, 
ParseTicke return status; " U statu s = 

) 



* ParseSid -- 
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* Called by TICKET^ParseTicket . before anv r.ai 

* have run. We parse and handle incoming 2 " °* ^ h ^ 



* Results: 

* None . 
+ 

* Side effects: 



int ParseSid(HTTP__Request *reqPtr) 

TlCKEKT_Request *ticketPtr ; 
HTTP_Server *serverPtr ; 
DString hash; 
Int i ; 

char * C p, *cpi ; 

int *bsid=NULL, act^hash; 

unsigned int curji,, tdif, exp tim; 

char *secret; ~~ 

char tempos tr [512 J ,* 

char *hashP ; 

int sid_ok = 0; 
unsigned char *ecp; 
unsigned int eda ; 
int endian = i ; 
int ipl,ip2 f i P 3,i P 4; 



/•' £T t £ pan " •/ 

tacfcetPtr = (TICKET Request ■* ) H T r.hD* * 

ASSERT (ticketPtr ~ J L) , <~qPtr, 

ticketPtr = (TICKET Request M Ma n , • 1 

DStringi nit(&ticketptr . >rawUri) erData ^ tBxtensionld. ticketPtr, £re e 
DStringmit Ut icke tPtr- >sid> ; 
DStringmit (&ticketPtr->f ields) • 
DStringmit ( & TicketPtr->signature)- 
DStringlnit f&TicketPtr- >t icketIP) ; 
ticketPtr->valid = 0 . 

ticketPtr->sidDom = i 1; 
ticketPtr- >ticketDom = -i/ 



ticketPtr->ticketExp 
ticketPtr->uid 



-1; 
0 
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TicketPtr->uctx = 0 . 



ssca„f,D S trin g Value (t re q P tr - >rem o t eAddr,. »Vd %d id %d» • 
ticketPtr->uid = ({{ipl +iD2 )«, 4l . ,,. • a -- d -*d.*d ■ &ipl, &i p2 , & ip3. s 
tic k etP t r->uct* ''^P 2 '- 24 ' I <<x P 3 + i p4)<<16) , (rand() 60xFFFp)); 

/* we are done if sids are not enabled, or this ur] h 

if <MTic k et G io b a 1D ata (E „a bl eSid,„ ^ HT OK ^ ^ 3 *' 

cpl = DStringValue(fcreqPtr->url; ~ ' 

if <strstr(cpl, SID prefix) ! =/ C pi) 

return HT_OK; 
if (strlen(cpi) == sidLength) 

DStringAppend(&reqPtr->url ( »/\ -l) ; 
DStringAppend(&reqPtr->path, ■■/", 
cpl = DStringValue( t reqPtr->url); 

cp = strchr(c P i +S i 2eo f (SID_j>ref ix> , ' / ' ) ■ 
if ((cp - cpl) !b sidLength) 
return HT__OK; 

IncTicketCounter(CountSidUrl) ; 
DStringinit (fchash) ,- . 

»:":i~rr"' — « . 

IncTicfcetCountencountDiscardedSidUrl). 
return HT_OK ; 

) 

OS t r ingAppend(6ticketptr . >sid Dstringvalue(&regptr>uri) sidLength) _ 

/* first convert the SID back to binary*/ 
i - DStringLength(&ticketPtr->sid)-3; 



bsid 



fix_endian(&bsid[ 0 j , ecp, eda) 
fix_endian(tbsid[i), ecp , eda) 
fix_endian( & bsidf 2 j / ecp, eda) 
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/* check the SID version field */ 

if <9e t _sid<rev_lw,rev_pos.rev mask) ! , 8id rev , v 

if Cg.Oid(r.rvl.l Wfrarvlj)0 .7 r8rvl mask ;?-! e 0 V 7 7 90t ; 

if (get sid(rsrv 2 lw r*™? „ " ' " 9 ° t0 sld J>ad; 

2_l w . rsrv2 _ J)OS(rsrv2 _ mask) j+ o) sid ^ 

/* Get a pointer to the secret ♦/ 

secret - Ge tSecret <get_sid,kid_lw. kid_pos, kid mask) . . 
(secret == NULL) goto sid_bad; " 

/« hash the sid and check the signature*/ 
DStringAppendtthash, secret, 

DStringAppendt&hash, DStrinqValue Itr^Df. 
dstrxngAppendlthash, temp_ str , _ 1( . 

/* format of the hash string is % E % s % 0 Bx*08,.. SPr , . 

OBx.OBx . secret, ap _addr,bsidt2).bsidti 

hashP = DStringValuel&hash); 
acthash = compute_ihash(hashP); 
while (*hashP != 0 ) *hashP== „.-' 
fix_endian(&act_hash, ecp, eda) - 

if Uc t _h ash g et_sid (s ig_ lK ,; igj30s , sig _ nask)) sicLbad _ 

ti^'tit" ^7 te eXPire<1 ' 90 ° d ^ - id «■« V 

>uctx . ge t _. 1 d(„ctx_lw.uc t xj,o., uctx _ Blask); 
/* do the SID experation processing*/ 
.^S." (time(0, - eXP - Shft - a -"-exp_ ma s K; 

tdxf = (exp_tim - cur_tim) * Oxffff,- ~ 
if (tdif > 0X7fff) 

( 

IncTicketCounter (countExpSid) , 

goto sid_exp ; 

) 



ti=l. t P„., v , lia , J* t -""" < "»J"-'<-'J-.*»_»rt,; 

sid_ok = i; 

IncTicketCounter (CountValidSid) 
sid^bad: 

sirex P: ,Sid - 0k ' ' ^^^"^ntxnvaHdSid, , 

DStringAppendf&ticketPtr 



t r->ra W Url. DStringValue ( & re q Ptr->path, . ; 
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DStringTrunc(&reqPtr->pa t h 0) • 
DStringTrunc( t tick e tPtr->rawU r l 0) • 

rtn_exit : 

DStringFree(thash) ; 

if (bsid != MULL) free(bsid); 

return HT_OK ; 

) 



* freeTicketReqData 
* 

* This routine frees the storage used by ticket BMe - f . 

* data. y cicfcet specific request 

* Results: 

* None . 
* 

* Side effects: 

* Memory freed. 



static void freeTicketReqData (void -dataPtr) 

TICKET.Request *ticketPtr . dataPtr* 
DStringF ree {&ticketPtr->rawUrl) ; ' 
DStringFree(&ticketPtr->sid) ; 
DStringFree (&ticketPtr->f ields) ; 

DStringF ree ( & ticketPtr->sign a ture); 
DStringFree f&ticketPtr->ticke t iP) ; 
f ree (ticketPtr) ; 



* GetSecret 
* 

Given a binary keylD, retu 
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* secrets store. 

* for untranslatable name*. *- ot . 

+ e names, return NULL. 

* Results: 

* "I've got a secret, now you do too" 

* Side effects: 



PCT/US96/07838 



char *GetSecret(int kid) 
HashEntry "entryPtr; 



/* 



* GetKidByKeylD -- 
+ 

* Given an ascii KeylD return the binary Key i D 
for untraceable „ ames , return ^ ' Key 10 ' 

* Results: 

* "I've got a secret , now you do ^ 

* Side effects: 



int GetKidByKeylD (char .fceylD) 
HashEntry *entryptr ; 



entryPtr = FindHashEntry (** T iclMM.„ n 

ifl-ntryPtx == ^ return ,VOid *' ^ ■ 

return (int) GetHashValue (entryPtr) , 
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* fieldParse -- 
* 

* Given a string, . separator character> extracts 

* separator into the result string. " P t0 the 

* Does substitution on 's-xx* 

* Results: 

* Returns a malloc'ed string /^=n 

ea string (caller must free) , or NULL if * n 

* Side effects: 

* None . 



*/ 

fldefine SIZE_INC 200 

statiic char *f ieldParse (char *str char SP n u 

j *<-r, cnar sep, char **endptr) 

char buf [3J ; 
char c,- 

char *end, *data, * P; 
int maxlen, len; 

len = 0; 

maxlen = SIZE_INC; 

p = data = malloc (maxlen) ; 

/* 

; LOOP thr ° U9h String ' - or sep character . 

while (* str && *str != sep ) ( 

if (*str =='%'){ 

iffUsxdigit^trCU], || !isxd ig i t(str[2))) , 
free (data) ; 
return NULL; 

J 

buf (oj ^ str [l] ; 
buf [lj = str [2J . 
buf [2] = '\o' ; 

c = strtoKbuf, &end, 16) ; 
str + = 3. 
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) else if (*str == ' +' ) { 

C = ' ' ; 

str++ ; 
} else 
c = *str++ ; 

*P++ = C; 
len++ ; 

if(len >= maxlen) ( 
maxlen += SIZE_INC ; 
data = reallocfdata, maxlen); 
P = data + len ; 

) 



I 

*P++ = ' \0' ; 

*endptr = str,- 
return data; 

) 



DomainWameCmd -- 



A call to this routine hniiri„ *.u 



* Results: 

* None . 
* 

* Side effects: 
Commands are validate, and entr 



ies added to the 



map 



*/ 

-tic in t Oo mainNameQnd(clientData cUentData t ^ ^ 

( int ar 9 c ' char **argv) 

int new, i ; 

HashEntry *entryPtr ; 
int DomNumber; 
DString DomName; 
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if (argc <3) 
( 

Tcl__AppendResult(interp, argvfo], « directive 

directive: wrong number of » 
arguments, should be \"3\»« 
(char *) NULL) ; 
return TCL_ERROR; 
) 

DStringlnit (tDomName) ; 

if ( ( (sscanf (arcrvfl] »SrH« t n nmH i- 

{ ^ l J ' * d ' &DomN ™^r) I = X J | (DomNumber _ 1} > > 

Tcl_A P pendResult(interp, argv[0j . - directive: ■ , 

"Domain number must be an inteaer ^ t 

, ■ " ante ^r ( and not equal to 

. value found was n ,argvfi] ( 
(char *) NULL) ; 
return to TCL_ERROR • 
) 

for (i = 2; i < argc; i + + ) 
( 

DStringFree (&DomName) ; 

DStringAppendf&DomName, argvfi], - 1} 

strtolower(DString Value (tDomName) ) 

entryPtr = CreateHashEntry (fcTicketServerData ■ 

UDomNam ^rverData.Domams, DStringValue 

if (new » o) 

( 

Tcl_AppendResuit<interp. argv t0 ], . directive: 

"Duplicate domain name specified, ■ , argv[iJ 

(char *) NULL) ; 
return TCL_ERROR; 
} 

SetHashValue (entryPtr. DomNumber) , 

DStringFree (&DomName) ; 
return TCL_OK; 

) 



/* 



* SecretsCmd 
* 

A call to this routine, builds kirf »-~ ~ 
^ , ^uixas Kid to secrets table 

* Results: 
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* Side effects: 

* Secrets are stored. 



*/ 

^ me argc, char +*argv) 



int newKid, newKeyiD; 

HashEntry *entryPtrKid - mttt t * 

int Kid; ~ L ' * ent ^rKeylD = mLLi 

DString *dsptrKid; 



i£ (argc ! =4) 

1 



Tcl_AppendResul t (interp, arovrn] » * ■ 

"a™ ts . should fc^'" „ dlreCtlVe: -^n Umb e rof 



(char *) NULL) 
return TCL_ERROR * 
) 

if (sscanf (argv[ 2 j, « %d „ ( &Kid) , = ^ 

Tcl_AppendResult (interp, argvfoj , 

- directive: KeylD must be an integer" 
' ValUG found was""-. argv[2J, , 

(char *) NULL) ,- 
return TCL_ERROR • 
} 



entryptriceyio . CreateHashEntry U TicketSpr n 
if UnewKid „ o ,, ((newReyID Jj^2 st 7 e ; Data " KeyID ' <VOid *) -rgvll.,. 
{ ' 01 ss strlen(argv[i] ) ) ) 

TcljRppendResult (interp, argv[o] 

:^ ive: nupucate — — - KeyID .... 



(char *) NULL) 
return TCLERROR- 
) 

if (strlen(argv[i) ) ) 
( 



dsptrKid (Dstring malloc(sheof|Dst 

DStringlnxt (dsptrKid) 
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DStringAppend(dsptrKid, argv(3), -i> ; 

SetHashValuefentryPtrKid, dsptrKid) ; 

SetHashValue (entryPtrKeylD, Kid) ; 
return TCL OK; 
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* TICKET_lnitiali 2e - 
+ 

; cans all the necessary routines to initiau2e 

* Results: 

* None . 

* Side effects: 

* sxn «T mandS 3dded t0 re9i ° n ln t .rpret.r. 
SID »/@®" url catcher declared. 



InitHashTablef&TicketServerData n-nr— 

InitHashTable( &Ti cJce t Serve rd rr? ' T CL_ ON E_WORD__KEYS , ; 

InitHasnTable L ^ ^ ™W^ KEYs) ; 

^TicketServerData. Domains, TCL_ ST RING^KEYS> ; 

/* initialize Server ticket data */ 
DStringlnit ^TicketGlobalData (AuthServer, , - 
DStri ^nit( t TieJcetGlobalData(T 1 c K etExpH.„ ( ; i e r)) . 

Tcketr:^ 

TicketGlobalData (FreeArea) ' 

TicketGlobalDatafEnableLocalAuth) 
TicketGlobalData (CurrentSecret ) 
TicketGlobalData (EnableSid) 
TicketGlobalData (EnableTicket ) 
TicketGlobalData f EnableSidEater) 
TicketGlobalData (LocalAuthExp) 

/* ticket event counters */ 



= 0; 
= 0; 
= 0; 
=» 0; 
= 0; 
= 0; 

■= 60*30; 
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TicketGlobalData (CountTotalUrl) 

TicketGlobalData ( Counts i dUrl ) 

TicketGlobalData (CountValidSid) 

TicketGlobalData (CountExpSid) 
TicketGlobalData (CountlnvalidSid) 
TicketGlobalData ( Count CrossDoma in) 
TicketGlobalData (CountLocalredirects) 
TicketGlobalData (CountRemoteRedirects) 
TicketGlobalData (CountNoRedirects) 
TicketGlobalData (CountDiscardedSidUrl) 



= 0 

= 0 

= 0 

= 0 

= o 

= 0 

= 0 

= 0 

= 0 

= 0 



Doma i nName Cmd , 



SecretsCmd, 



/* Ticket related Config commands */ 
Tcl_CreateCommand( interp, "Domain", 

(ClientData) serverPtr, NULL) ; 
Tcl_CreateCormnand( interp, "Secrets", 

(ClientData) serverPtr, NULL) * 
Tcl_CreateCo mm a n d ( xn t erp. "AutnenticationServer - . OndStrxngValue 
(ClxentData) TicketGlobalData (AuthServer ) . NULL) • 

T < 1 C.7 Cre rr, eCOmraand(interP ' " TictetEx P-^ion„andler.., cJstringValue 
(ClxentData, TicketGlobalData (TicketExpHandler, , NULL) • 

.C^rn 600 ™' 111 '"^ " TicketAdd — Handler". c m d Strlng value 

(ClxentData) TicketGlobalData (TicketAdrHandler , , NULL) • ' 
Tel CreateCo mm and (interp. .. Pre eDon,ai„... CmdIntV.1^. 

(ClxentData) TicketGlobalData (FreeArea) , NULL) • 
TclCreat e Co mraa „ d (interp, "EnableSidEater « . cindlntValue 

(ClxentData) TicketGlobalData (EnableSidEater) . NULL) • ' 

T< ;« Cre rn eC ° mmand(interP ' " EnableSid "' Outvalue. 
(ClxentData) TicketGlobalData (EnableSid) . NULL) • 

Tri C Tn eC ° mmand<interP ' " EnableTi ^et-, Cm dlntvalue. 

(ClxentData) TicketGlobalData (EnableTicket) , NULL) • 
Tel CreateCo d (interp> „ EnableLocalAnthHi CmdIn ' fcValu 

(ClxentData, TicketGlobalData (EnableLocalAuth, , NULL) • 
Tel createco^anddnterp, "CurrentSecref , Cm dIntVaxue, 

(ClxentData, TicketGlobalData (CurrentSecret , . null)- 

,cf TnT™^ ' intSrP ' " LoCalAut ^P" • Cdlntvalue. 
(ClxentData, TicketGlobalData (LocalAuthExp, , null,- 



HTAddMounthandler (serverPtr , (cli 



"/orai 



xserver" , NULL) ; 



entData) NULL, TICKET_DebugHooks , 



return HT_OK,- 

) 



/* 
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* TICKET_Shutdown -- 



* Calls all the 
* 

* Results: 

* None . 
* 

* Side effects: 

* Memory freed 



necessary routines to shutdown the ticket subsystem. 



t 

void TICKET_Shutdown (HTTP_Server *serverPtr> 

HashEntry *entryPtr; 
HashSearch search; 
DString *dstring; 

DStringFree (STlcketGlobalData (AuthServer) ) • 
DStringFree (HicketGlobaXData (TicketExpHandler) , • 
DStringFree (HicketGlobalData (TicketAdrHandler) ) ] 

{ 

dstring = GetHashValue fentryPtr) ; 
DStringFree (dstring) ; 
free (dstring) ; 

entryPtr = NextHashEntry&search) ; 

DeleteHashTable( & TicketS e rverData.SecretsKid)- 
DeleteHashtable UTicketServerData . KeylD) - 
DeleteHashTable ( & TicketServerData . Domains) f 

/* 



* TICKET_AddRegion Commands - 

Add TICKET region commands for authentic,- / 
decisions. authentlca tion/authorizatic 

* 

* Results: 

None . 
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Side effects: 

Commands added to the region interpreter. 



*/ , 

void TICKET.AddRegion Co mmands (HTTP _ Request . reqptr> ^ ^ 

Tcl_Crea t eCo m „,a„d,in te rp. "Requires™-. TICKETJ.equireSidCmd. ' 

(ClientData) reqPtr, NULL} • i 
Tcl^reateCo.n.andCinterp. .RequireTiCcet" , TICK ET _ Req u ireTic)cetCmd 
^ (ClientData) reqPtr, NULL) ; 



* TICKET_GetCGIVariables 
* 

* Add TICKET CGI variables to the CGI variable table. 

* Results: 

None . 

* 

* Side effects: 

Extends the CGI variable hash table. 



v 

void TICKET G et CGIVariables(HTTP_Re q uest *req) 

TICKET_Request *ticketPtr = <TICKET_Reques t *) 
HT_GetReqExtData (req. Tickets 

/* 

return % " thSre ' S "° eXtenSi ° n ^ " ' « ^ a ticket. Just 

*/ 

if (ticketPtr == NULL) 
return) \ ; 
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if (DStringLength(&ticketPtr->rawUrl) ! = 0 ) 
>r.vUrl>. FA HT " AddCGIParamete ^-^ "TICKET_URL" , DStringValue ( .ticketPtr- 

if (DStringLength (&ticketPtr->sid) != 0) 
-idj/r^sr"^ 1 '"^' 6 ^"'' " TICKET - SID "' ^tringValue( & ticketPtr- 

if (DStringLength(& t icketPtr->fields) != 0 ) 

HT_AddCG I Parameter (req "TICKET FTFinctt no. • 
>fields). TICKET_FIELDS , DStringValue UticketPtr 

if (DStringLength < &ticketPtr- signature) .- 0 ) 

HT.AddCCXPara.eter (req, »TICKET_Si G ™. . DStringValue UticketPtr- 



>signa 

)/ 



*TICKET_GetUrl 
* 

* Return the orignal url („i th sid) 

* Results: 

* The url. 
* 

* Side effects: 

None . 



char *TICKET_GetUrl(HTTP_Reguest *reqPtr) 
TICKET_Request *ticketPtr ; 

ticketPtr = ( TI CKET__Reques t *) 

HT GetReqExtData(reqPtr Tir^i-o 

(DStringLengthUticketPtr-^awUrD o)) 
return DStringValue (fcticketPtr- >rawUrl) • 

else 

^ return DStringValue (&reqP tr - >urI , . 



/* 

+ 

+ 

* TICKET_Confi g check 
* 

Perform late configuration checks 
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* Results: 
+ 

* 

* Side effects: 

Possible message loged/printed, and 



program exit'd. 



*/ 

void TICKET_ConfigCheck() 
{ 

HashEntry *entryPtr ; 
int kid f - 

if UTicketGlobalData(EnableSid) & -Oxl) != 0) 

LogMessage (LOG_ERR, "EnableSid must be 0 or 1 " ) • 

exit (0) ; 

I 

if ( ! (TicketGlobalData (EnableSid) ) ) return,- 

kid = TicketGlobalData (CurrentSecret) ; 
if (kid && kid^mask) i= kid) 
( 

;:;;:;; ge —secret td ±. kid): 

•ntryPtr . KindHasnEntry UTicketServerData . SecretsKid', ( void * j kid) ; 

if (entryPtr == NULL) : 
I 

LogMessage (LOG ERR) , "No secret define r r. 

e xit ( 0 ); defmed for CurrentSecret id", kid; 

if < (TicketGlobalData (FreeArea) 6 -0x255) ...„,. 
LogMessage (LOG ERR, "FreeArea mncn k 

exit(O), ~ S between ° »nd 255", , 



if ( (TicketGlobalData (EnableSidTicket) & - 0xl) 0) 

LogMessage (LOG_ERR, "EnableSidTicket must be „ „ 
exit (0) ; ' 

) 
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if (<TicketGlobalData(EnableTicket) & -0x1) !- 0 ) ; 

LogMessage (LOG_ERR, "EnableTicket must be 0 or l», ■ 
exit (0) ; 



if CTicketGiobalDataCEnableLocalAuth) & -Ox!) ,= o, 

LogMessage (LOG_ERR , "EnabXLocalAuth must be 0 or 1-, 

exit (0) ; ' ' 

} 



* TI CKET_DebugHooks 
* 

Check for debug hooks and 

+ 

* Results: 

* None . 
* 

* Side Effects: 

* None . 



execute if found. 



*/ 

t«ic void TZCKB^OebugHoo^ciientData client, char * suffix , 

j HTTP_Request "reqPtr) 

if (strcmp (suffix, -/ticke tstatus - ) „ 0 ) 

DumpStatus (reqPtr) ; 
HT_FinishRequest (reqPtr) ; 
return; 

} 

HTTP JSrror (reqPtr, NOT FOUND, "access deni^H H . 
■ HT_FinishRequest( r e q Pt;,; ^ t0 P °° rly formed ^1"), 

return; 

) 

/* 



* DumpStatus 
* 

Dump the server's ticket stat ' 
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* Results: 

None . 

+ 

* Side effects: 

* None . 



*/ 

ffdefine BUFSIZE 1024 

static void DumpStatus(HTTP_Request *reqPtr) 

HTTP_Server 'serverPtr = reqPtr- >serverPtr ; 
char tmp [BUFSIZE] , timeStr fBUFSIZEJ ; 
struct utsname sysinfo; 
time_t uptime; 
int hours; 

HTTPBeginHeader (reqPtr, "200 OK)- 

Z-!T Header|reqPtr ' "Content-^ : text/html", hum.,, 
HTTP_EndHeader (reqPtr) ,- 

HTTP_ Sen d, reqPtr. ^title^ebServer Ticket Stat us</ tit l e> ,., 

"<hl>WebServer Ticket Status</hl> , NULL) ; 

HTTP.Send.reqPtr. -<p><hr>,. P >« ha>Tlek . t Loge/h2> „, . <p><pre>Xa . _ ^ 

sprintfftmp. . <b>ts: </b> ^ 

HTTP_Send (reqPtr. tmp, HULL).- ' TlC * et 
sprin tf(tm p. <b>%s: </b> 

HTTP_Send(regPtr. tmp, NULL), - SID URLs ".Ticket 

sprintf ( tmp . .. <b>%8: </b> % Valid SID's - t ' „ 

HTTP) Send (reqPtr, tmp. HULL); Valid SID s Tlcket 

sprintf ( tmp . .. <b>%s: </b> %dNn; . Numberof m 
HTTP) Send (reqPtr. tmp. NULL) ; Exp lr ed SID s Ticket 

HTr r pi f „dr P ; <b>%s: ^ rof i nvalidsID , s ., Ticket 

HTTP) Send (reqPtr, tmp, NULL); lcKet 
sprintf (trap, <b>\s- ^/h-, s-^\« , 

HTTP,Send«iptr. tmp ^ ^ ° £ ^ ^cces.s Ticket 

-^;,r^r; tdXn: - «*. t 

sprint, (t n,p. <b>%3: </b> Vd\„, . Number of NQ ^ 

HTTP_Send (reqPtr, tmp. -</pre>-. NULL) ; 

uptime = time (NULL) = serverPtr- >started; 
uname (tsysinfo) ; 
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etriftime(ti me str ( BUFSIZE, -% A( %d-%b-*y %T . 
localtime{serverPtr->started) ) , 

springfttmp, "Server mning on <d>% R ,/h 

since ^ ? <d>%s </b> <%s % S ) port *d, has been up \ 
exnce %B.<p>-, sysinfo. nodena.e, sysinf o . sysname 
sysinfo. release, serverPt-r- y"»me, 

HTTP_Send(reqPtr, tmp, WLL) ; Se ^rP tr - >server j,ort ( timeStr) ; 

sprinter . <b „ erof connections; 

serverPtr->numConnects) ■ ' 
HT TP _Sen d(reqPtr . tmp , 

.prin t f, t «p. . <t»Number of HTTP requests • /b MV 

HTT P _ S end<re qPtr . tmp , v/prexp*" , a^'- </b > 

hours = maxfuptime / 3600, 1); 

sprintfftmp. -This server is averaging <b>M /K 

server Pt r->nu mRegU e Sts/h 9 ou I ) b><d</b> P ^ h ™ <*>"- 

HTTPSend (reqPtr, tmp. NULL) ,- 

DumpRusage (reqPtr) ; 
/* DumpConnections (reqPtr ) , * / 

DNSDumpStats (reqPtr) • 

HTTP - Send,r ::;: d r d -^><-»..>-. Dst r ing v alue(6ht serverso£tBare) 

</address>\n" / NULL) ; ~ c are '' 

reqPtr- >done = TRUE; 

) 

tfundef BDFSIZE 
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10 



15 



20 



25 



CLAIMS 

What is claimed is: 

1. A method of processing service requests from a client 
to a server system through a network comprising: 

forwarding a service request from the client to 
the server system; 

returning a session identifier from the server 
system to the client; and 

appending the session identifier to the request 
and subsequent service requests from the client to the 
server system within a session of requests. 

2- A method as claimed in Claim 1 wherein the server 
system tracks an access history of sequences of 
service requests within the session of requests. 

»• A method as claimed in Claim 2 wherein the server 

system tracks the access history to determine service 
requests leading to a purchase made within the session 
of requests. 

- A method as claimed in Claim 1 wherein the server 
system counts requests to particular services 
exclusive of repeated requests from a common client. 

• A method as claimed in claim 1 wherein the server 
system maintains a database relating customer 
information to access patterns, the information 
including customer demographics. 
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• A method as cla imed in claim , wherein ^ 
system bjects fche clienfc fco ^ authQri2ation 

Pnor to issuing the session identifier and the 
session identifier is protected from forgery. 

' syZTt " Claimed ^ Claim 6 Wherei " the — 
system comprises plural servers including an 

authentication server which provides session 

identifiers for service requests to multiple servers. 

. A method as claimed in Claim 7 wherein: 

a client directs a service request to a first 
server W hich is to provide the requested service; 

the first server checks the service request for a 
session identifier and onlv services a service requLt 
having a valid session identifier, and where the 
service request has no valid identifier: 

the first server redirects the service 
request from the client to the author- i • 

^ uie authorization server- 

to * h aUth ° rization se rver subjects the client 

to the authorization routine and issues the session 

identifier to he appended to the 

the first server; 

the client forwards the service request 
appended with the session identifier to the first 
server; and 

idpn ,. f . firSt SSrVer "cognizes the session 

identifier and servirec 

clionf „ services the service request to the 
client; and 

the client appends the session identifier to 
subsequent service requests l-o 

; 0 quests to the server system and 

xs serviced without f urther authorization. 

A method as claimed in Claims ! or 7 wherein the 
session identifier includes a user identifier. 
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10- A method as claimed in Claims 1 or 7 wherein the 

session identifier includes an expiration time for the 
session. 



11. 



12 . 



A method as claimed in Claim 7 wherein the session 
identifier provides access to a protected domain to 
which the session has access authorization. 

A method as claimed in Claim n wherein the session 
identifier is modified for access to a different 
protected domain. 



10 13. A method as claimed in Claim 7 wherein the session 
identifier provides a key identifier for key 



15 



20 



14 , 



15. 



management . 



A method as claimed in Claims 1 or 7 wherein the 
server system records information from the session 
identifier in a transaction log in the server system. 

A method as claimed in Claims 1 or 7 wherein 
communications between the client and server system 
are according to hypertext transfer protocol and the 
session identifier is appended as part of a path name 
m a uniform resource locator. 

16. A method as claimed in Claim 15 wherein the client 

Edifies the path name of a current uni'form resource 
locator using relative addressing and retains the 
session identifier portion of the path name unmodified 
for successive requests in the session. 
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A method as claimed in claim 1 or 7 further comprising 
excluding requests made to information from the client 
within a defined period of time. 

■ A method of processing service requests from a client 
to a server system through a network comprising: 

responding to a request for a document received 
from the client through the network ; 

appending a session identifier, which includes a 
user identification, to the request; and 

returning the requested document wherein the 
document is customed for a particular user based on 
the user identification of the session identifier. 

i 

A method of processing service request for a document 

received from a client through network in which the 

document has been purchased by a user comprising: 

responding to a request for a document received 

from a client through the network in which the 

document has been purchased by the user; 

appending an authorization identifier to the 
request; and 

returning the requested document if th' e 
authorization identifier indicates that the user is 
authorized to access the document. 

A method as claimed in Claim 19, wherein the 
authorization identifier is encoded within a session 
identifier which is appended to the request. . 

A method of processing service requests from a client 
to a server system through a network comprising: 

responding to a request for a document received ' 
from a client through the network; 

appending a user identifier to the request; 
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returning the requested document to the client, 

and; 

charging the user identified in the identifier 
for access to the document. 

!2. A method as claimed in claim 21, wherein a user 

identifier is encoded within a session identifier 
which is appended to the request. 

3. A method of processing service requests from a client 
to a server system through a network comprising: 

forwarding a service request from the client to 
the server system; and 

appending a session identifier to the request and 
subsequent service requests from the client to the 
server system within a session of requests. 

I- An information system on a network comprising: 

means for receiving service requests from clients 
and for determining whether a service request includes 

a session identifier; 

means for providing the session identifier in 
response to an initial service request in a session of 
requests; and 

means for servicing service requests from a 
client which include the session identifier the 
subsequent service request being processed In the 
session. 

An information system as claimed in Claim 24 wherein 
the means for providing the session identifier is in a 
server system which services the requests. 

An information system as claimed in Claim 23 further 
comprising an authorization routine for authorizing 
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the client prior to issuing the session identifier and 
means for protecting the session identifier from 
forgery. 



27. 



28, 



10 29. 



30. 

15 



An information system as claimed in Claim 24 further 
comprising a transaction log for recording information 
from the session identifier. 

An information system as claimed in Claim 24 further 
comprising means for tracking access history of 
sequences of service requests within the session. 

An information system as claimed in Claim 24 further 
comprising means for counting requests to particular 
services exclusive of repeated requests from a common 
client. 

An information system as claimed in Claim 24 further 
composing a database relating customer information to 
access patterns, the information including customer 
demographics . 



31. 



20 



An information system as claimed in Claim 25 wherein 
communications between the client and server system 
are according to hypertext transfer protocol and the 

nTu 0 nir ntmer ^ aPPendSd ^ Part ° f * ** th ™- 
in a uniform resource locator. 

32- An information server on a network comprising- 

oaa n ' eanS . f0r res e° nd -9 to requests for hypertext 
Pages received from a client through the network by 
returning the requested hypertext pages to the client- 

from TT reSP ° nding t0 f -ther requests derived' 

from Unks xn the hypertext pages; and 
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means for tracking the further requests derived 
from a particular hypertext page. 



33 



34 . 



35. 



An xnfor„,ation server as claimed in Claim 32 wherein 
the requests include a common session identifier and 
the server tracks requests within a session of 
requests. 

An information server as claimed in Claim 32 further : 
comprising a data base relating customer demographics 

to access patterns. 

A method of providinq acce^ ^ 

9 access to information pages from 
a clxent to a server system through a network 
comprising: 

providing a telephone number at the client- 
mapping the telephone number to a target page 

identifier using a translation database ; 

requesting information described by the page 

identifier from the server system; and 

displaying a page identified by the page 

identifier at the client. 

A method of providing access to information pages from 
a client to a server system through a network 
comprising: 

providing a descriptor at the client; 

mapping the descriptor to a target page 
identifier using a translation database; 

requesting at the client information described by 
the page identifier from the server system without 
further user action; and 

displaying a page identified by the page 
identifier at the client. 
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37. A method as claimed in Claims 35 or 36 wherein the 
translation database resides in the server system 
which returns a uniform resource lector in a REDIRECT 
conunand to the client to cause the client to request 
the information using the uniform resource locator. 

38. A method as claimed in C1 aim 36 wherein the descriptor 
comprises a telephone number. 

39- A method as claimedin Claim 36 wherein the descriptor 
comprises a descriptive term. 

10 40. a method as claimed in claim 39 wherein the term 
includes a company name. 

41. A method as claimed in Claim 39 wherein the term 
includes a product name. 

42. a method as claimed in Claim 39 wherein the tern, is 
identified by phonetic mapping. 

43. A method as claimed in claims 35 or 38 wherein the 
target page identifier describes a controlled page . 

44. A method as claimed in Claims 35 or 36 wherein the 
target page identifier is a uniform resource Qr _ 
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